threat detection


Stopping ransomware in its tracks

As the pandemic’s one-year milestone passes, federal IT leaders are planning for what’s next,  including large-scale hybrid work environments.

Keeping data and business operations secure is priority one, but phishing, ransomware and advanced threat attacks have grown significantly over the past year. Cybercriminals target remote government employees as they adapt to new environments and technology. Adversaries leverage COVID-19 spikes to target health care institutions that may be more susceptible to attack to exfiltrate sensitive data. Financial attacks target the stimulus funds, with bad actors posing as government officials to phish for sensitive information and push out ransomware.

Agencies can no longer rely on traditional network security approaches as they build out hybrid IT environments and deploy modern digital services. To reduce cyber risk in 2021, government cyber leaders are modernizing security and turning to zero trust models.

Tracking invisible threats

Since March 2020, there has been a 500% increase in ransomware attacks over Transport Layer Security (TLS) according to the Zscaler ThreatLabZ report, 2020 State of Encrypted Attacks.

This growth highlights the importance and urgency of having a comprehensive capability to perform SSL inspection, sandboxing and threat prevention on all internet traffic. These capabilities are critical, giving IT teams the ability to detect and prevent threats hidden in encrypted streams.

Threat actors continue to use phishing to obtain initial access to an agency endpoint because it’s easy and they only one victim to fall for a phishing campaign to breach a network. While Binding Operational Directive 18-01 has enhanced email security across the federal space, attackers are still able to use various techniques to evade detection.

Once malicious actors obtain initial access to an endpoint, they can launch additional attacks depending on their nefarious intent:

  • Inject into or leverage processes running with elevated privileges.
  • Pull down additional payloads to install ransomware.
  • Execute keystroke log/screen scrapes to steal login information when a user is logging in.
  • Harvest a user’s address book and use the contacts to phish others, common in business email compromise campaigns.
  • Enumerate and attempt to access any accessible enterprise services available to the user due to overly permissive or insecure permissions.
  • Exploit vulnerabilities or misconfigurations on other systems.
  • Target high-value assets, databases or repositories with sensitive information.

Ransomware delivery is one of the most common next-stage attacks. This billion-dollar industry benefits from the fact that traditional approaches to network segmentation are time consuming and complicated to implement and manage on an enterprise scale. Too often, there are gaping holes left open that an attacker can hop through. Because an attacker only needs one foothold, one pathway into an agency’s network, cyber defenders on the front lines must account for all potential entry points to adequately defend the enterprise.

These realities highlight the urgency for agencies to adopt zero trust solutions to reduce the risk that an attacker with a foothold in a computer will take down the entire organization. Besides closing gaps, agencies must quickly deploy and scale solutions. They don’t have years to evolve their legacy network-centric security to successfully combat today’s threats.

To fully protect IT environments, agencies need real-time visibility and security with a cloud-based proxy architecture. Securely directing traffic straight to the cloud, (application to application) will enable improved data mobility, eliminate network-centric security bottlenecks and deliver more robust security capabilities that can scale.

A cloud-based proxy architecture also allows agencies to easily inspect encrypted traffic at scale. It eliminates the need to deploy physical boxes on prem to uncover and block threats without extra cost or performance degradation. The result is reduced latency, improved user experience and consolidated, individually managed security capabilities. As a former defender, I know that every bit of efficiency helps to keep the folks on the front lines focused on supporting the mission, versus supporting technology.

Securing IT environments with zero trust

Federal cyber leaders can achieve many efficiencies with cloud-based security solutions. 

any agencies initially increased capacity on remote-access solutions, including virtual private networks, to accommodate spiking numbers of teleworkers. This led to significant increase in traffic coming in and out of the network, which caused bottlenecks and put federal data, devices and users at risk.

In addition, when agencies place their security technology at the perimeter of their network, all traffic has to be backhauled through the data center and VPN before accessing applications -- resulting in latency, poor user experience and reduced productivity. When users are frustrated, they will sometimes take matters into their own hands and implement alternative approaches -- shadow IT -- often not in line with security best practices.

Instead, with the Trusted Internet Connection (TIC) 3.0 guidance providing new options, agencies are adopting zero-trust models that inherently do not trust any user, device or network location, and each identity and device is assessed before granting access to an application. The approach reduces the attack surface by making applications invisible and accessible only by authorized users.

Agencies are also implementing direct-to-cloud connections that eliminate the hair-pinning caused by backhauling traffic through a VPN -- reducing traffic and latency, and ultimately, improving the user experience.

Employees can securely access the cloud, internet and software-as-a-service applications from any location while meeting or exceeding government requirements. By never placing users directly on the network, zero trust can also prevent cybercriminals from taking one foothold and turning it into a complete domain compromise. 

Fighting cybercrime with updated policy

As federal IT and cybersecurity leaders continue to modernize and secure their network architecture, there are many resources and emerging opportunities. TIC 3.0 has been a game changer that allows agencies to move away from the network-centric approach and realign their security posture to focus on securing users and data traffic in any location.

Agencies should follow the National Institute of Standards and Technology’s SP 800-207 guidance as they migrate and deploy zero trust across their enterprise environment. This guidance has opened the door for agencies to adopt modern security capabilities, hybrid cloud environments, allowing them to connect users with direct-to-cloud access, without backhauling traffic to the data center first.

By creating a least-privilege access model, federal cyber leaders can ensure the right person, device and service has access to the data needed, while protecting high-value assets. 

About the Author

Danny has 20 years of cybersecurity experience split between offensive computing as an ethical hacker and defending some of our most important networks. As a highly regarded thought leader and trusted cybersecurity advisor, Danny has provided guidance and formulated strategies to combat emerging threats for various agencies across the federal government.

Prior to joining Zscaler, Danny was the Associate CISO, Operations Branch Chief for the Centers for Disease Control and Prevention (CDC). During his 11 year tenure at CDC, Danny was responsible for implementing operational capabilities to support incident response, forensics, cyber threat intel and insider threat functions. He has designed, implemented, and optimized enterprise cyber security capabilities to effectively detect, prevent and respond to emerging cybersecurity threats.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected